When developer's api simplify user mode rootkits developing.

This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans,
…

This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/

Transcript

1.
DEFENCE When Developers API Simplify User-mode Rootkits Developing This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as user-mode rootkits. C ybercrime is becoming a growing threat to soci- • Mobile malware uses the same techniques as PC ety. The thefts of information, website crashing malware to infect mobile devices. or manipulating online payment traffic are also • The greatest mobile malware risk comes from rapid increasing. Many organizations offer various services in proliferation of applications from app stores. the battle against digital crime, such as network or data • RIM BlackBerry, Google Android, and Apple iOS monitors and extractions tools. It is interesting mainly to operating systems suffer predominantly from spy- authorities and financial institutions, but they are acces- ware applications sible to every organization. Smartphones have been equipped with operating It’s totally right. If you want to distribute malware take systems that compare in complexity with those on desk- the most popular application or game, most popular top computers. This trend makes them vulnerable to lot device what you are going to infect and place malware of the same threats as desktop OS. The past several application into „warez”-storage. For example, take years of mobile malware are no longer only in the theo- any game for Android/iOS, that is not free (like angry ry. There has been malware, loss, theft, data communi- birds) and place a supposedly cracked version on the cation interception, exploitation, etc. This has been be- non-official android market. The application does not cause of the decreasing cost of mobile devices which even need to be the game. To prove this idea let’s go allowed them to enrich the software interfaces that back to November 2010 when security researchers allows users to interact better with the cyber and the Jon Oberheide and Zach Lanier unveiled an Android physical worlds. For example, mobile devices are often exploit at an Intel security conference in Oregon. They pre-installed with a number of applications, including cli- showed that the Android security model include a se- ents for location-based services and general-purpose curity flaw that allows an application to invisibly down- web browsers used forchatting and social networking. load additional exe-applications, known as APK files, The increasing number of mobile-related exploits tends without requiring the user’s permissions. Their proof- to impact security breaches which have put the industry of-concept malware did not contain any actual mali- at a critical point. That’s the greatest risk to all mobile OS cious code; it simply portrayed itself as bonus levels moving to involve the rapid development, and distribution for Angry Birds that, once installed, would open up throughout so-called app markets While most of applica- more levels for the player. In reality, nothing related to tion markets provide an ideal transportation mechanism Angry Birds was ever included in the application. How- for the delivery of malicious software to the heart ofindus- ever, Oberheide and Lanier proved that users could try’s networks. According to Juniper Networks the follow- be tricked into downloading this application, and that ing mobile malware take place: the application could download and install addition- al applications without prompting the user to approve • Mobile device and OS market share and mobile the additional installs, or to verify and agreement re- malware infection rates are linked quired for the background applications to be installed.124 01/2012

2.
When Developers API Simplify User-mode Rootkits DevelopingUnfortunately, BlackBerry suffers from the same prob- system call, the execution of that system call follows alem. Mobile environments makevery attractive targets predetermined path and after that rootkit can interceptto attackers. Important personal and financial informa- it. One of the most common user mode techniques istion can easily be compromised because phone us- the one in memory modification of system libraries.age is a part of day-to-day user activities. For example, That’s why applications run in their own memorymobile devices are being used for chatting, email, stor- space and the rootkit needs to patch the memory spaceing personal data even financial data, pictures, videos, of every running application to provide self-control.GPS tracks and audio notes. Moreover, the rootkits have to monitor for new applica- A rootkit is a stealth type of malicious software – de- tions to patch those programs’ memory space too (needsigned to keep itself, other files, or network connections to explain the security rings if they are referenced).hidden from detection. A rootkit typically intercepts com- User-mode rootkits run in Ring 3, along with othermon API calls to modify or filter information from the op- applications as user, rather than low-level system pro-erating system to keep itself hidden. For example, it can cesses. They have a number of possible installationintercept requests to file explorer and cause it to keep vectors to intercept and modify the standard behaviourcertain files hidden from display, even reporting false of application programming interfaces (APIs). Some in-file counts and sizes to the user. There are legitimate ject a dynamically-linked library like a. DLL file on Win-uses for rootkits by law enforcement, parents or em- dows into processes, and are thereby able to executeployers wishing to retain remote command and control inside any target process to spoof it. Injection mecha-and/or the ability to monitor activity on their employee’s nisms include:or children’s computer systems. Another example, rootkits are commonly used to con- • Use of vendor-supplied application extensions. Forceal keyloggers, which steal sensitive user data, such example, Windows Explorer as well as any mobileas passwords and credit card numbers, by silently log- platform like BlackBerry has public interfaces thatging keystrokes. Rootkits are design to maintain ac- allow third parties to extend its functionality.cess to targeted computers. Rootkits can also disable • Interception of messages.the firewall/antivirus tools by replacing files, changing • Exploitation of security vulnerabilities.settings or modifying what the antivirus application can • Function hooking or patching of commonly usedsee. None of these activities are directly visible to the APIs, for example, to mask a running process oruser because the rootkit conceals its presence. file that resides on a file system. There are several kinds of rootkits. They are bootkits,firmware user-mode kernel and hypervisor. A further Windows-based rootkits are modifying paths and sys-discussion needs to compare kernel mode with user- tem structures these methods are used to mask net-mode rootkits. work activity, registry keys, and processes Rootkits Kernel mode rootkits involve system hooking or modi- modify all the things which could alert a user to thefication in kernel space which is the ideal place because fact that a malicious program is active in the system.it is at the lowest level, highest level of security and Implementation in user mode rootkits is relatively easy.thus, is the most reliable and robust method of system Most often, a method based on hooking API functionshooking. is used to modify the path to executables. As a system call’s execution path leaves user mode Many of rootkits techniques are well documentedand enters kernel mode, it must pass through a gate. and use normal applications. Example: a desktop fire-This gate must be able to recognize the purpose of the wall program may use similar hooking things to watchincoming system call and initiate the execution of code and alert the user to any outgoing network connec-inside the kernel space and then return results back to tions while a rootkit will use it to hide their backdoorthe incoming user mode system call. It’s some kind of activities. The legitimizing effect of commercial rootkita proxy between user mode and kernel mode. One of software is leading away from user-mode and towardthe rootkit techniques is to simply modify the data struc- kernel-mode techniques at first glance. However, user-tures in kernel memory. For example, kernel memory mode rootkits still have the ability to bypass securitymust keep a list of all running processes and a root- applications Non-official market places are now wide-kit can simply remove themselves and other malicious ly available on the Internet therefore malware writersprocesses they wish to hide from this list. Rootkits do don’t even ponder over how to spread it. It’s very easythis by inserting or patching the process that list running to integrate several technologies into one malware at-processes and then filter what processes are reported tack.as running. User-mode rootkits exist for *NIX, Windows and are User mode rootkits involve system hooking in the user known for mobile devices such as Android or BlackBer-or application space. Whenever an application makes a ry.www.hakin9.org/en 125

3.
DEFENCE Why not BlackBerry? always been among the most basic usability principles. BlackBerry smartphone applications include inherent vi- Showing asterisks while users enter complex codes rus protection and spyware protection that is designed definitely fails to comply. Other background was key- to contain and prevent the spread of viruses and spy- stroke emulation as a kind of underlying principle of ware to other applications. Security is known as the cor- direct interaction with screen. BlackBerry has an API nerstone of the BlackBerry system that allows users to managed with applications that eventually ask user to confidently access sensitive information. choose restriction via showing API-requests. Why does Previous attacks on BlackBerry included: several a user agree with it? Some application such as phone exploits, password thefts, screen information, chats manager have no way to communicate with high lev- messages and other data. All of these described at- el hardware to catch incoming calls and auto pick up. tacks are possible to put into practice on application It seems there is no failure because user installs ap- (user-mode) level. While root mode provides powerful plications and allows their policies. However, the issue ability to feel like God, application level has the abil- covers all screens that can be managed by keystroke ity for wide spreading, easy distribution, misleading emulation or navigation emulation, or any textbox. One and finally easy developing. The most popular solu- exploit shown in the article which was by „noising” the tion in security field is to operate as always under at- inputting text field. The major concept is in using the tack. Well-established products will provide the end most complex password in range of 14-18 symbols with user with some protection. Meanwhile vendors start to case-sensitive. That’s right, you’re obliged to use the develop security measures as hackers continue to de- most complex password and you never see the noise- velop new rootkit/exploits. That’s why an application symbol until unmasking happen, which usually leads to level is one of most interesting to research and actu- device wiping (Figure 1 and 2). ally it will always be relevant and useful to take it under Next bad idea discussed in the same article based investigation. Forensic investigation can be conducted on global permission of screen-capturing as previous on cloud or mobile devices, but you’re still able to ex- keystroke emulation. You can choose whether you want tract most data. (Computer and servers) However, it’s to use such application, for example, to capture a lot of really a problem when accessing the network card on screenshots to make a video tutorial are only between high level at first glance, but don’t forget about browser yes and no. Thus, in my other article (Why is password plugin, IM plugin and etc. Therefore this type of level protection a fallacy point of view? Hakin9 Extra, June is based on opened API for developers clearly leads to 2011) I showed that you can to sniff password data. Two exploitation. issues for further discussions: Coming back to my previous articles I’m going to re- fresh some ideas of these attacks. First article discussed • Keylogger password protection (Is Data Secure on the Password • Datalogger Protected Blackberry Device? Hakin9, February 2011) mainly password masking as point of protection. It’s ob- Many thanks to Apple’s patent (if I’m not mistaken) to vious that in most cases masking passwords doesn’t the asterisk masking lagging. More details: when you even increase security, but it does cost your business touch screen to type a character a big-scaled pre- due to login failures. Visualizing the system status has view appears. When you do the same while typing Figure 1. Noising password field Figure 2. Result of noising password field126 01/2012

4.
When Developers API Simplify User-mode Rootkits DevelopingFigure 3. Screen-capture of browser #1 Figure 5. Screen-capture of password’s creation windowpassword into masked text box you can see that ev- Some kind of answer: Clipboard manager restricts da-ery character is going to be masked by asterisk or ta extracting while window of Password Keeper/Black-black circle in about~1-2 second afterward. It’s quite Berry Wallet is active until you minimize it or close it.true to all mobile devices. But if you use a hardware Is it really needed in protection by password maskingkeyboard you will never see it. Reasonably, password (Figure 8)?preview is only used when the keyboard is a sure type Next failures with password discussed in that articleor multitap keyboard. The bold keyboard is a full key- highlight attacker capabilities to steal password whileboard so it won’t duplicate that behavior. Such preview you’re syncing your device with a PC (discussed Win-is screen-shot-able. Average statistical data shows dows-based PC only) from password by catching sync-300-400 msec is good to steal each button press like event and start to screen capturing for example. There’sletters, numeric, switching between letter and numeric protect the PC side too. There are four attacks there.or symbols or pressing some kind of shift/caps lock. If Unfortunately, we can’t get a screen-capture.you want to be totally sure set a 100 msec timer to get First of them dealt with previous version of BlackBer-everything (Figure 3-7). ry Device Manager (4-5 version) developed by C++. It Despite the big bug in good managing password divides into two builds (Windows Seven and Windowsby your brain and previous exploitation each user XP). Second of them was referring to BlackBerry Desk-has a problem with password managers. BlackBerry top Manager (6 version) developed mainly by .NET.gives an opportunity to choose pre-nstalled Password Third of them expanded the previous in case of get-Keeper or BlackBerry Wallet. Both can be screen-cap- ting password that types before backup starts. Fourth oftured! A good question is why can’t we take control them dealt with silent connecting if you’ve got a deviceover all windows application (even 3rd party apps)? password to wipe for example.Figure 4. Screen-capture of browser #1 Figure 6. Screen-capture of device-unlockingwww.hakin9.org/en 127

5.
DEFENCE Figure 7. Screen-capture of device-unlocking while PC-syncing Figure 9. Attacking BlackBerry Device Manager Recalling knowledge about system messages and if the editbox is masked you can’t copy text, because system object answers to us that edit box is a simple you get a NULL-pointer. Well then do unmask, copy and field for typing characters ~32k in length with a pass- mask again. wordchar property. It has default #0 value or NULL or 0. In 2003 a MS Windows PostMessage API Unmasked Other masking character could be a black circle or as- Password Weakness was found. Declared affects for terisk or anything else. 0x25CF is unicode character of MS Windows 2000, XP and could effectively allow un- black circle. Every system object like modal window or masked passwords to be copied into a user’s clipboard textbox responds to API subroutine such as SendMes- or other buffer. EM_SETPASSWORDCHAR (Type sage or PostMessage. Both subroutines send the spec- UINT, Message) messages sets the password mask ified message to a window or windows. But if you need character in password edit box controls. PostMessage to post a message in the message queue associated may be abused in combination with EM_SETPASS- with a thread you should use the PostMessage func- WORDCHAR messages to cause an unmasked pass- tion. Parameters’ syntax is the same. First parameter is word to be placed into a buffer which could potentially (Type: HWND) a handle to the window whose window be accessed through other means by an unauthorized procedure will receive the message. Second parameter process. The unmasked password can be copied while is (Type: UINT) a message to be sent. Other two pa- this is occurring. If we try to use this code in Vista or rameters (Type: WPARAM, Type: LPARAM) represent Windows 7 we get nothing, because it’s more correct to an additional message-specific information. It’s easy to set system hook in owner address space via loading a guess that we need in WM_GETTEXT (0x000D) mes- DLL-Cather. But at this rate you should know OS ver- sage because it copies the text that corresponds to a sion, right? Roughly, we need a so called Major Version window into a buffer provided by the caller. However, to distinct XP and Seven. Most of this repeats previous Figure 8. Screen of BlackBerry Wallet Figure 10. Attacking BlackBerry Desktop Software128 01/2012

6.
When Developers API Simplify User-mode Rootkits Developing Listing 1. FaceBook Additional Info FaceBook Additional Info Friendly name: Facebook Description: Facebook?® for BlackBerry?® smartphones makes it even easier to connect and share while youre on the go... Version: 2.0.0.37 Vendor: Research In Motion Limited Copyright: (null) Listing 2. FaceBook Additional Info PhoneArguments phoneArgs = new PhoneArguments(PhoneArguments.ARG_CALL, premium_number); Invoke.invokeApplication(Invoke.APP_TYPE_PHONE, phoneArgs);parts when you deal with BlackBerry Desktop Manager. $10k per month. Don’t forget that developing is easyYou can filter by application name or etc to gain access and needs to be compact. Look a Listing 2.to type the password. Three HwndWrapper as class- Whereas premium_number is a string and PhoneArgu-name text were presented in my article to catch back- ments may used by default.up-password as some kind of extended filters (Figure 9 However, BlackBerry Enterprise Solution has sever-and 10). al powerful rules to manage with emails, phone num- Most of these attacks filled forensics article (To Get bers or sms/mms. Administrator can add rules like +7rRound To The Heart Of Fortress, Hakin9 Extra, August to disallow incoming or outcoming calls (or both types)2011). This article discovered problem with antiforensic to Russian Federation. The same with emails despite ofmethods especially when we talk about live forensics. spam filtering.As example, we can extract device information, hard- The idea was to highlight the failure of group policyware Id, PIN, OS Version, some more applications like such as I have discussed it. Some of them are obviousa facebook (Listing 1). if you’re an Android user. When users try to download Using live methods we are able to extract Address any application or game a permission request asking toBook, Calendar Events, Call History, Browser histo- allow it to install BlackBerry is quite contrary but if youry and bookmarks, Memos and Tasks, Screen-shots, allow sms or email permission to application and youCamera-shots, Videocamera-shots, Clipboard, Location activate any possible action in relation to message liketracking (cell, wifi, gps, bluetooth), SMS/MMS/Emails, deleting, creating, reading, intercepting and etc. whilePictures, Videos, Voice notes, and other file, IMs, etc. Amazon (AWS) The Cloud has feature to control in cus-BlackBerry EXIF-Picture information tells you about file- tom policy mode any possible API declared as a devel-name, details of camera e.g. RIM BlackBerry Torch as oper API.name, DateTime, Resolution or GPS. Also, you can findsaved IM history (even BBM) on internal storage or SD-storage. All files filled IM history has a simple CSV-for- Yury Chemerkinmat: Date/Time, ID Sender, ID Receiver, and Data. Graduated fromRussian State University for the Humanities The security conference InfoSecurity Russia 2011 (http://rggu.com/) in 2010. At present postgraduate at RSUH.mentioned several API to protect from forensics ana- Information Security Researcher since 2009 and currentlylyzing in point of emails and PIN. It reconstructs PIN or works as a mobile and social infosecurity researcher in Mos-email message with any property of flag, such received, cow.rejected, read, delivered and etc. Idea consists in simu- Experienced in Reverse Engineering, Software Programming,lating a lot of messages to water down the purport of the Cyber & Mobile Security Researching, Documentation, Securi-proof thread. ty Writing as regular contributing. Now researching Cloud Se- To imagine how many type of information your device curity and Social Privacy.owns just look above. And it’s only personal data. There E-mail:many trojans that steal money by calling to Antarctica yury.chemerkin@gmail.com (yury.chemerkin@facebook.com)or Dominican Republic. If every call costs at least $3 Facebook: www.facebook.com/yury.chemerkinper minute, then one compromised device can lead to LinkedIn: www.linkedin.com/in/yurychemerkinwww.hakin9.org/en 129